Skip to content

chore: adopt shared conf-renovate preset (v1.2.1) #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mattwang44 merged 2 commits into from
May 20, 2026
Merged

chore: adopt shared conf-renovate preset (v1.2.1) #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cb6e501
chore: adopt shared conf-renovate preset (v1.2.1)
gofreight-jackyeh May 18, 2026
1f55591
chore(renovate): tighten validate workflow + clarify inherited policy
gofreight-jackyeh May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions .github/workflows/validate-renovate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Validate Renovate Config

# Triggers on any path Renovate would pick up as a config (see lookup order:
# https://docs.renovatebot.com/configuration-options/#configurationoptions).
# Listing them all means a PR can't accidentally bypass validation by adding,
# say, a higher-precedence `renovate.json` while only the `.json5` is path-filtered.
on:
pull_request:
paths:
- 'renovate.json'
- 'renovate.json5'
- '.renovaterc'
- '.renovaterc.json'
- '.github/renovate.json'
- '.github/renovate.json5'
- '.github/workflows/validate-renovate.yml'
push:
branches: [master]
paths:
- 'renovate.json'
- 'renovate.json5'
- '.renovaterc'
- '.renovaterc.json'
- '.github/renovate.json'
- '.github/renovate.json5'
- '.github/workflows/validate-renovate.yml'

jobs:
validate:
name: renovate-config-validator
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

# We've deliberately chosen `renovate.json5` (supports comments). Any
# higher-precedence config file (`renovate.json`, `.renovaterc`,
# `.github/renovate.json`) would silently override it — fail loudly
# so a stray file is caught at PR time.
- name: Refuse higher-precedence config files
run: |
higher_precedence=(renovate.json .renovaterc .renovaterc.json .github/renovate.json)
found=()
for f in "${higher_precedence[@]}"; do
[[ -f "$f" ]] && found+=("$f")
done
if (( ${#found[@]} > 0 )); then
echo "::error::Higher-precedence Renovate config file(s) present — these override renovate.json5: ${found[*]}"
exit 1
fi

- uses: actions/setup-node@v4
with:
node-version: '24'

- run: npx --yes --package renovate@43 -- renovate-config-validator --strict --no-global renovate.json5
21 changes: 21 additions & 0 deletions renovate.json5
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",

// Baseline = `hardcoretech/conf-renovate`. Inherited policy from the
// preset's `default.json5`:
// - `config:best-practices` (dependency dashboard, internal-checks-filter,
// `groupName: null` for major updates, etc.)
// - SHA-pinned GHA + 3-day release-age soak + OSV vulnerability alerts
// - Per-ecosystem PR grouping (backend / frontend / docker / gha / terraform)
// - Datastore version pinning (mysql / rabbitmq / valkey on docker+helm)
// - PR volume controls (`prConcurrentLimit: 4`, `prHourlyLimit: 4`)
// - Weekly Monday schedule
// The preset auto-bumps this pin via its own customManager (v1.1.0+).
extends: [
"github>hardcoretech/conf-renovate#v1.2.1",
// Don't widen semver ranges (`^1.2.3` stays `^1.2.3`). Not in the preset.
":preserveSemverRanges",
],

labels: ["dependencies"],
}
Loading